b"           U.S. Department of\n                                                 Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of the                Date:    September 29, 2006\n           Report on Controls Over the Enterprise Service\n           Center\xe2\x80\x99s Delphi Financial Management System\n           Report No. QC-2006-076\n  From:    Rebecca C. Leng                                   Reply to\n                                                             Attn. of:   JA-20\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n    To:    Assistant Secretary for Budget and Programs/\n            Chief Financial Officer\n\n           This report summarizes the results of the review of system security controls over\n           the Department of Transportation (DOT) Enterprise Service Center\xe2\x80\x99s (ESC)\n           Delphi Financial Management System. The ESC performs accounting and\n           financial management functions for DOT and other Federal organizations. It is\n           maintained by Federal Aviation Administration employees at the Mike Monroney\n           Aeronautical Center in Oklahoma City.\n\n           ESC is one of four Centers of Excellence designated by the Office of Management\n           and Budget to provide financial management information system services to other\n           governmental agencies. ESC supports other Federal entities, the National\n           Endowment for the Arts, and the Institute of Museum and Library Services. The\n           Office of Management and Budget requires Centers of Excellence to provide\n           client agencies with an independent audit report in accordance with the American\n           Institute of Certified Public Accountants (AICPA) Statement of Auditing\n           Standards.\n\n           This year\xe2\x80\x99s audit was completed by Clifton Gunderson, LLP, of Calverton,\n           Maryland. We performed a quality control review of the audit work to ensure that\n           it complied with applicable standards. These standards include the Generally\n           Accepted Government Auditing Standards and AICPA\xe2\x80\x99s Statement on Auditing\n           Standards (SAS) 70. In our opinion, Gunderson\xe2\x80\x99s audit work complied with\n           applicable standards.\n\x0c                                                                                                                    2\n\n\nThe Clifton Gunderson audit report concluded that management\xe2\x80\x99s description of\ncontrols for the Delphi Financial Management System presents fairly, in all\nmaterial respects, the controls that had been placed in operation as of May 31,\n2006. In addition, on 9 out of 10 control objectives, the independent auditor\nconcluded that controls, as described, are suitably designed and were operating\neffectively during the period from October 1, 2005, through May 31, 2006. This\nrepresents a significant improvement from last year and is the result of a concerted\neffort made by DOT Headquarters staff and ESC management to implement\nprevious audit recommendations. 1\n\nThis enhanced operational environment enabled auditors to rely on Delphi\nFinancial Management System controls when conducting this year\xe2\x80\x99s financial\nstatement audits. However, continued improvement is needed. Specifically,\nGunderson reported that controls were not suitably designed and not operating\nwith sufficient effectiveness to achieve one stated objective, \xe2\x80\x9cLogical Access\nControls provide reasonable assurance that safeguards are established to prevent or\ndetect unauthorized access.\xe2\x80\x9d 2\n\n    \xe2\x80\xa2 Not Suitably Designed. The computer network architecture was not\n      suitably designed to provide adequate logical access controls. Delphi\n      system servers reside in a network that is shared by all users at FAA\xe2\x80\x99s Mike\n      Monroney Aeronautical Center. The ESC staff responsible for maintaining\n      Delphi does not fully control this shared network. If the network is not\n      properly secured, other systems on this network could become an entry\n      point of unauthorized access to the Delphi Financial Management System.\n      Management should install firewall protection to limit access to Delphi\n      servers by other Aeronautical Center system users.\n\n    \xe2\x80\xa2 Not Operating Effectively. Controls were not operating with sufficient\n      effectiveness in the areas of programmer access to production servers,\n      timely revocation of terminated employees\xe2\x80\x99 system access, and network\n      equipment vulnerability to known security risks. ESC management needs\n      to enforce better control practices.\n\nGunderson made 12 recommendations to improve controls and submitted them to\nDOT management. We agree that implementing these recommendations would\nfurther enhance controls over Delphi Financial Management System operations\nand have included these recommendations in this report (see Exhibit). In a\nSeptember 26, 2006, response to the Office of Inspector General, the DOT Deputy\n\n1\n    Report Number QC-2005-075, \xe2\x80\x9cQuality Control Review of the Report on Controls over the Delphi Financial\n    Management System,\xe2\x80\x9d September 2, 2005. In this report, auditors concluded that controls were suitably designed for\n    8, and operating effectively for 7, of the 10 stated control objectives. OIG reports can be found on our website:\n    www.oig.dot.gov.\n2\n    The independent auditor\xe2\x80\x99s report is available upon request.\n\x0c                                                                                3\n\n\nChief Financial Officer concurred with the recommendations and committed to\nimplementing corrective actions (see Appendix).\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response\nto Gunderson\xe2\x80\x99s recommendations are subject to audit follow-up. Gunderson is\nperforming additional testing and will prepare a follow-up management letter to\nthe Office of Inspector General reporting whether the control environment\nchanged significantly between June 1 and September 30, 2006. After receiving\nGunderson\xe2\x80\x99s follow-up letter, we will decide whether additional support, including\ntarget completion dates, is needed for the corrective actions.\n\nWe appreciate the courtesies and cooperation of ESC, the Office of the Secretary\nof Transportation, and Clifton Gunderson representatives during this audit. If you\nhave any questions concerning this report, please call me at (202) 366-1496 or\nEdward Densmore, Program Director, at (202) 366-4350.\n\nAttachments\n\n                                        #\n\ncc: Chief Information Officer, Department of Transportation\n    Federal Aviation Administrator\n    Assistant Administrator for Financial Services/CFO, FAA\n    Assistant Administrator for Information Services/CIO, FAA\n    Assistant Administrator for Region/Center Operations, FAA\n    Director, Mike Monroney Aeronautical Center, FAA\n    Martin Gertel, M-1\n    Anthony Williams, ABU-100\n\x0c                                                                                    4\n\n\n\n\nEXHIBIT. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\nDOT Management should implement the following actions to enhance Delphi\nsecurity administration controls.\n\n1. Division/Administrative Heads and Departmental COTRs should notify the\n   Delphi ISSO of all new hires and request that the ISSO provide justification\n   that all new system users have received the requisite security training within\n   the mandated 30 day period. These management personnel should ensure\n   strict adherence to existing DOT policies with respect to documenting the new\n   employee/contractor checklist; routing all new hire information via Human\n   Resources to the Delphi ISSO so that mandatory security training can be\n   enforced.\n\n2. Ensure the Delphi Incident Response Capability includes all requirements as\n   stipulated by the National Institute of Standards and Technology \xe2\x80\x93 Special\n   Publication 800-61 \xe2\x80\x93 \xe2\x80\x9cComputer Security Incident Handling Guide\xe2\x80\x9d.\n\nDOT Management should implement the following actions to enhance Delphi\nphysical access controls.\n\n3. Perform an analysis of all employees with access to the data center and\n   document the motive for this access. Periodically review this list and have the\n   system owners certify their users. Review access frequency and remove\n   permanent access for employees who do not need this access in the daily\n   execution of their duties.\n\n4. Develop and implement log review policies to ensure the visitor log is filled\n   out in its entirety each time a person visits the data center. Ensure punitive\n   measures are implemented against employees (escorts) who do not abide by\n   these policies.\n\n5. Install Closed Circuit TV cameras.\n\nDOT Management should implement the following actions to enhance Delphi\nbackup, recovery, and maintenance controls.\n\n6. ESC Management should periodically test the SMF Disaster Recovery plan.\n\n\n\nEXHIBIT Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                   5\n\n\nDOT Management should implement the following actions to enhance Delphi\nlogical access controls.\n\n7. ESC Management should consider implementing a security enclave that\n   would separate the Delphi servers by placing the servers on their own internal\n   IP network. The access to this network should be controlled by firewalls and\n   monitored by IDS. In the short run, coordinate patch management and other\n   security features for all agencies that own hardware/software in the MMAC\n   data center.\n\n8. ESC Management should review the current rights of programmers and\n   remediate inappropriate access.\n\n9. Management should review the automated process for revoking access to\n   operating system accounts. Review the current process and refine the method\n   of disabling and/or removal of access accounts at the application and\n   operating system levels.\n\n10. Conduct network (Internal and External) scans periodically including scans of\n   System Administrator workstations and terminals. Alternate or rotate\n   scanning software as different tools depending on their settings will capture\n   vulnerabilities differently.\n\nDOT Management should implement the following actions to enhance Delphi\napplication input controls.\n\n11. In addition to the quarterly recertification of user access, we recommend\n   Delphi management team strengthens its monitoring techniques over powerful\n   application privileges.\n\n12. We recommend that all Delphi users\xe2\x80\x99 access be reviewed on a quarterly basis\n   to ensure their rights and privileges are based on a need-to-know principle.\n   ESC should enforce this policy for all Delphi Customers. Also, ESC should\n   immediately revoke a users\xe2\x80\x99 access when such revocation is requested by the\n   user\xe2\x80\x99s Security Officer.\n\n\n\n\nEXHIBIT Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                          6\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\n                                  September 26, 2006\n\n\n\nMEMORANDUM TO:                Rebecca C. Leng\n                              Assistant Inspector General for Financial, Information\n                              Technology, and Departmentwide Programs\n\nFROM:                         Larry Neff\n                              Deputy Chief Financial Officer\n\nSUBJECT:                      Management Response to Security Audit\n                              of the Delphi Financial Management System\n\n\nThank you for the Quality Control Review report of the Delphi Financial Management\nSystem, which is operated and maintained for the Department of Transportation by the\nEnterprise Services Center (ESC) in Oklahoma City. We appreciate all the help the\nOffice of Inspector General (OIG) staff provided in coordinating Clifton-Gunderson's\nStatement on Auditing Standards (SAS) 70 audit of Delphi for Fiscal Year 2006.\n\nWe have worked closely with the auditors throughout this SAS-70 review to ensure\nthat as soon as an issue was raised, immediate action was taken to mitigate risks and\nto further strengthen Delphi's security controls. Corrective actions taken to enhance\nDelphi\xe2\x80\x99s security controls in response to this year\xe2\x80\x99s SAS-70 audit include:\n\n\xc2\x83   Security Awareness Training procedures for the Office of Enterprise Systems (AME)\n    have been enhanced and management has been informed of the new procedures.\n\n\xc2\x83   The Delphi Incident Response Plan has been updated to include all elements as\n    described in NIST 800-61, and the updated plan has been distributed to all Delphi\n    personnel.\n\n\xc2\x83   The procedures for handling visitors to the Systems Maintenance Facility (SMF) data\n    center have been enhanced. Visitors to the SMF are now issued Visitor Badges on\n    entering the SMF. These procedures also include updating the SMF Visitor Log.\n\n\xc2\x83   The SMF Disaster Recovery Plan has been updated and tested, and the test results\n    have been documented.\n\n\n\nAPPENDIX Management Comments\n\x0c                                                                                           7\n\n\n\xc2\x83   Documentation of SMF Tape Restoration procedures has been completed.\n\n\xc2\x83   Production and Development Operating System (OS) accounts have been\n    updated to ensure access is limited based on business need.\n\n\xc2\x83   OS Account Revocation procedures have been enhanced.\n\n\xc2\x83   All unpatched software has been removed from System Administrators\xe2\x80\x99 workstations.\n\n\xc2\x83   Delphi support staff production update responsibilities have been reviewed to ensure\n    all are appropriately end-dated.\n\n\xc2\x83   The Delphi User Recertification process has been enhanced and communicated\n    to the Delphi Security Officers.\n\n\xc2\x83   All \xe2\x80\x9cNull\xe2\x80\x9d sessions have been disabled.\n\n\xc2\x83   The ISCS has implemented a monthly scan of all Delphi System Administrator,\n    Application Administrator, and Database Administrator workstations.\n\n\xc2\x83   Any available and required server patches have been applied.\n\n\xc2\x83   Delphi Windows-based servers have had Host-Based firewalls installed.\n\n\xc2\x83   All high internal scan findings have been mitigated.\n\nThe following additional corrective actions are currently underway:\n\n\xc2\x83   The SMF is in the process of researching other methods to enforce visitor sign-in and\n    sign-out.\n\n\xc2\x83   Cameras are scheduled to be installed in the SMF as part of the ongoing Aeronautical\n    Center-wide Facility Security Risk Management (FSRM) Project. The cameras will\n    provide surveillance and recording capability for activity within the SMF. The\n    FSRM project's installation, test and commissioning phases are scheduled for\n    December 2006 through May 2008.\n\n\xc2\x83   Delphi Windows Servers are scheduled to have Host-Based firewalls installed by\n    December 15, 2006.\n\n\xc2\x83   An Access Portal is scheduled to be implemented for access to Delphi applications\n    by December 31, 2007, or earlier if possible, depending on the schedule for the\n    upgrade to release 11.5.10 of the Oracle 11i e-Business Suite. Once implemented,\n    users will only be able to view information on the site after authentication. In\n    addition, research is currently underway to determine if the Delphi Internet Home\n    Page (idelphi) can be disabled.\n\n\n\n\nAPPENDIX Management Comments\n\x0c                                                                                      8\n\n\n\n\nWe look forward to continuing to work with you and your staff to strengthen the\ndesign and implementation of Delphi security controls. As a Shared Service Provider\n(SSP) designated by the Office of Management and Budget (OMB) to provide other\nFederal agencies with our Delphi financial system and accounting services, we are\nstrongly committed to ensuring that the Delphi Financial Management System meets\nor exceeds all security requirements.\n\nThank you for your continuing support and assistance in this effort.\n\nAttachment\n\n\ncc:\nJoann Adam, Lindy Ritz, Stan Sieg, Marshal Gimpel, Bob Stevens, Keith Burlison,\nCheryl Rogers, Mike Myers, Laura Ramoly, Phil Loranger, Laurie Howard, Joanne Choi,\nSheldon Edner, Arvid Knutsen\n\n\n\n\nAPPENDIX Management Comments\n\x0c                                                                                        9\n\n\n\n\n              FY 2006 Delphi SAS-70 NFR Action Plan Summary\nas of September 26, 2006\n\nNFR #            Description             Status                 Corrective Actions\n                                                     \xc2\x83   Create Security Awareness Training\n         AME Security Awareness                          Procedures\n 1.1                                   Completed\n         Training                                    \xc2\x83   Inform AME Management of Training\n                                                         Procedures\n                                                     \xc2\x83   Update Delphi Incident Response Plan\n                                                     \xc2\x83   Internal Management Review of updated\n         Delphi Incident Response\n 1.2                                   Completed         Plan\n         Plan\n                                                     \xc2\x83   Distribute updated Plan to Delphi\n                                                         personnel\n 2.1     SMF Physical Access           Completed     \xc2\x83   Enhance access procedures\n                                                     \xc2\x83   Procure SMF Visitor Badges\n 2.2     SMF Visitor Log               In Progress\n                                                     \xc2\x83   Implement ID/Badge Swap-Out\n 2.3     SMF Cameras                   In Progress   \xc2\x83   Install Cameras in the SMF\n         Test of SMF Disaster\n 3.1                                   Completed     \xc2\x83   Document SMF DR Test Results\n         Recovery Plan\n         SMF Tape Restoration\n 3.2                                   Completed     \xc2\x83   Document Tape Restoration Procedures\n         Procedures\n         Network Logical Access                      \xc2\x83   Install Host-Based Firewalls on Windows\n 4.1                                   In Progress\n         Controls                                        servers\n                                                     \xc2\x83   Remove OS Access for 3 Programmers\n         DEV and PROD OS\n 4.2                                   Completed     \xc2\x83   Research OS Access of DBA\n         Accounts\n                                                     \xc2\x83   If necessary, remove OS Access of DBA\n         OS Account Revocation\n 4.3                                   Completed     \xc2\x83   Enhance OS Account Revocation Process\n         Process\n                                                     \xc2\x83   Implement Portal for Access to all Delphi\n 4.4     Website Info Prior to Logon   In Progress\n                                                         Apps/Info\n                                                     \xc2\x83   Research Need for NULL Sessions\n 4.5     NULL Sessions                 Completed\n                                                     \xc2\x83   If feasible, disable NULL Sessions\n                                                     \xc2\x83   Remove Unpatched Software\n 4.6     Compromised Workstation       Completed     \xc2\x83   Create Process to Scan SA/DBA/AA\n                                                         Workstations\n                                                     \xc2\x83   Research/Apply Servers Patches, as\n 4.7     Penetration Test Findings     Completed\n                                                         Appropriate\n 4.8     Internal Scan Findings        Completed     \xc2\x83   Mitigate Internal Scan Findings\n 5.1     Open/Close Responsibilities   Completed     \xc2\x83   End-Date GL Access Responsibilities\n                                                     \xc2\x83   Enhance/Enforce User Recertification\n 5.2     Delphi User Recertification   Completed\n                                                         Process\n\n\n\n\n       APPENDIX Management Comments\n\x0c"